Liars and Outliers is available. Amazon and Barnes & Noble have been shipping the book since the beginning of the month. Both the Kindle and the Nook versions are available for download. (Yes, Amazon's webpage claims that the book will be published on February 21, 2012, but they ship copies as soon as they get them -- this ain't Harry Potter.) I have received 250 books myself. Everyone who read and commented on a draft will get a copy in the mail. And as of today, I have shipped books to everyone who ordered a signed copy.

I've seen five more reviews. And there's one print and one audio (there's also a transcript) interview about the book.

A bunch of people on Twitter have announced that they're enjoying the book. Right now, there are only three reviews on Amazon. Please, leave a review on Amazon. (I'll write about the problem of fake reviews on these sorts of sites in another post.)

I'm not sure, but I think the Kindle price is going to increase. So if you want the book at the current $10 price, now is the time to buy it.

At the end of February, I'll be at the RSA Conference in San Francisco. In addition to my other speaking events, Davi Ottenheimer will interview me about the book at something called The Author's Studio. I'll be doing two one-hour book signings at the conference bookstore. And, and this is the best news of all, HP has bought 1,000 copies of the book and will be giving them away at their booth. I'll be doing a couple of signings there as well.

3. Screener confiscates them anyway, because of their "material and appearance."

4. Because they're not actually a threat, screener leaves them at the checkpoint.

5. Everyone forgets about them.

6. Six hours later, the next shift of TSA screeners notices the pipes and -- not being able to explain how they got there and, presumably, because of their "material and appearance" -- calls the police bomb squad to remove the pipes.

7. TSA does not evacuate the airport, or even close the checkpoint, because -- well, we don't know why.

A merchant is suing his bank, claiming that the PCI standard "force[s] merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized." The PCI standards are probably the biggest non-government security standard. It'll be interesting to see how this turns out.http://www.wired.com/threatlevel/2012/01/pci-lawsuit/

The NSF is funding research on giving organizations information-security risk ratings, similar to credit ratings for individuals.http://www.nsf.gov/awardsearch/showAward.do?...
I have no idea if this is snake oil or if it actually works, but note that this is a Phase II award. There was already a Phase I award, and the NSF must have liked the results from that.

The problems of too much information sharing. Yes, it's fake. But it's funny.http://i.imgur.com/rsQ93.pnghttp://www.reddit.com/r/funny/comments/owx3v/...
The error rate for hand-counted ballots can be as high as two percent.http://www.sciencedaily.com/releases/2012/02/...
All voting systems have nonzero error rates. This doesn't surprise technologists, but does surprise the general public. There's a myth out there that elections are perfectly accurate, down to the single vote. They're not. If the vote is within a few percentage points, they're likely a statistical tie. (The problem, of course, is that elections must produce a single winner.)

Last month, a U.S. court demanded that a defendant surrender the encryption key to a laptop so the police could examine it.

Now it seems that she's forgotten the key.

What happens now? It seems as if this excuse would always be available to someone who doesn't want the police to decrypt her files. On the other hand, it might be hard to realistically forget a key. It's less credible for someone to say "I have no idea what my password is," and more likely to say something like "it was the word 'telephone' with a zero for the o and then some number following -- four digits, with a six in it -- and then a punctuation mark like a period." And then a brute-force password search could be targeted. I suppose someone could say "it was a random alphanumeric password created by an automatic program; I really have no idea," but I'm not sure a judge would believe it.

DARPA is funding research into new forms of biometrics that authenticate people as they use their computer: things like keystroke patterns, eye movements, mouse behavior, reading speed, and surfing and e-mail response behavior. The idea -- and I think this is a good one -- is that the computer can continuously authenticate people, and not just authenticate them once when they first start using their computers.

I remember reading a science fiction story about a computer worm that searched for people this way: going from computer to computer, trying to identify a specific individual.

In 2005, I wrote an essay called "The Failure of Two-Factor Authentication," where I predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint.

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.